port p8 secureboot settings code to p9

Update the p9 branch to handle the secure settings states as per p8
code but with the new updated p9 constant values. Remove caching of
register values.

Change-Id: I0a29ce0103a8f9b60b421a4bb625f12adcd916f8
RTC:161916
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/32490
Reviewed-by: Stephen M. Cprek <smcprek@us.ibm.com>
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: William G. Hoffa <wghoffa@us.ibm.com>

5 files changed, 62 insertions, 26 deletions

diff --git a/src/usr/secureboot/base/containerheader.C b/src/usr/secureboot/base/containerheader.C
index 5f8e2fdc7..a807d7d12 100644
--- a/src/usr/secureboot/base/containerheader.C
+++ b/src/usr/secureboot/base/containerheader.C
@@ -23,8 +23,7 @@
 /*                                                                        */
 /* IBM_PROLOG_END_TAG                                                     */
 #include <secureboot/containerheader.H>
-
-extern trace_desc_t* g_trac_secure;
+#include "../common/securetrace.H"
 
 // Quick change for unit testing
 //#define TRACUCOMP(args...)  TRACFCOMP(args)
diff --git a/src/usr/secureboot/base/securerom.C b/src/usr/secureboot/base/securerom.C
index dd859c6ab..9a1bca5ae 100644
--- a/src/usr/secureboot/base/securerom.C
+++ b/src/usr/secureboot/base/securerom.C
@@ -32,12 +32,11 @@
 #include <devicefw/driverif.H>
 #include <errl/errlentry.H>
 #include <errl/errlmanager.H>
+#include "../common/securetrace.H"
 
 #include "securerom.H"
 #include "../settings.H"
 
-extern trace_desc_t* g_trac_secure;
-
 // Quick change for unit testing
 //#define TRACUCOMP(args...)  TRACFCOMP(args)
 #define TRACUCOMP(args...)
@@ -103,6 +102,8 @@ void getHwHashKeys(sha2_hash_t o_hash)
  Public Methods
  ********************/
 
+// allow external methods to access g_trac_secure
+using namespace SECUREBOOT;
 
 /**
  * @brief Initialize Secure Rom by loading it into memory and
diff --git a/src/usr/secureboot/base/service.C b/src/usr/secureboot/base/service.C
index a557655f3..59750b786 100644
--- a/src/usr/secureboot/base/service.C
+++ b/src/usr/secureboot/base/service.C
@@ -42,7 +42,7 @@
 #include <kernel/console.H>
 #include <console/consoleif.H>
 
-extern trace_desc_t* g_trac_secure;
+#include "../common/securetrace.H"
 
 // Quick change for unit testing
 //#define TRACUCOMP(args...)  TRACFCOMP(args)
@@ -97,7 +97,12 @@ bool enabled()
     return Singleton<Settings>::instance().getEnabled();
 }
 
-void handleSecurebootFailure(errlHndl_t &io_err, const bool i_waitForShutdown)
+bool getJumperState()
+{
+    return Singleton<Settings>::instance().getJumperState();
+}
+
+void handleSecurebootFailure(errlHndl_t &io_err, bool i_waitForShutdown)
 {
     TRACFCOMP( g_trac_secure, ENTER_MRK"handleSecurebootFailure()");
 
diff --git a/src/usr/secureboot/base/settings.C b/src/usr/secureboot/base/settings.C
index 8caa6708c..9f4377178 100644
--- a/src/usr/secureboot/base/settings.C
+++ b/src/usr/secureboot/base/settings.C
@@ -23,42 +23,70 @@
 /*                                                                        */
 /* IBM_PROLOG_END_TAG                                                     */
 #include <errl/errlentry.H>
+#include <errl/errlmanager.H>
 #include <devicefw/userif.H>
-
+#include <secureboot/service.H>
 #include "settings.H"
 
 // SECUREBOOT : General driver traces
-trace_desc_t* g_trac_secure = NULL;
-TRAC_INIT(&g_trac_secure, SECURE_COMP_NAME, KILOBYTE); //1K
-
+#include "../common/securetrace.H"
 
 namespace SECUREBOOT
 {
-    const uint64_t Settings::SECURITY_SWITCH_REGISTER = 0x00010005;
-    const uint64_t
-        Settings::SECURITY_SWITCH_TRUSTED_BOOT = 0x4000000000000000ull;
+    using namespace TARGETING;
 
     void Settings::_init()
     {
-        errlHndl_t l_errl = NULL;
-        size_t size = sizeof(iv_regValue);
+        // cache only the enabled flag
+        iv_enabled = (0 != (getSecuritySwitch() &
+                                static_cast<uint64_t>(ProcSecurity::SabBit)));
+    }
 
-        // Read / cache security switch setting from processor.
-        l_errl = deviceRead(TARGETING::MASTER_PROCESSOR_CHIP_TARGET_SENTINEL,
-                            &iv_regValue, size,
-                            DEVICE_SCOM_ADDRESS(SECURITY_SWITCH_REGISTER));
+    bool Settings::getEnabled() const
+    {
+        return iv_enabled;
+    }
 
-        // If this errors, we're in bad shape and shouldn't trust anything.
-        assert(NULL == l_errl);
+    bool Settings::getJumperState() const
+    {
+        auto l_regValue = readSecurityRegister(
+                        static_cast<uint64_t>(ProcCbsControl::StatusRegister));
+
+        return 0 != (l_regValue &
+                        static_cast<uint64_t>(ProcCbsControl::JumperStateBit));
     }
 
-    bool Settings::getEnabled()
+    uint64_t Settings::getSecuritySwitch() const
     {
-        return 0 != (iv_regValue & SECURITY_SWITCH_TRUSTED_BOOT);
+        return readSecurityRegister(
+                        static_cast<uint64_t>(ProcSecurity::SwitchRegister));
     }
 
-    uint64_t Settings::getSecuritySwitch()
+    uint64_t Settings::readSecurityRegister(const uint64_t i_scomAddress) const
     {
-        return iv_regValue;
+        errlHndl_t l_errl = nullptr;
+        uint64_t l_regValue = 0;
+        size_t size = sizeof(l_regValue);
+
+        // Read secure register setting from processor.
+        l_errl = deviceRead(MASTER_PROCESSOR_CHIP_TARGET_SENTINEL,
+                            &l_regValue, size,
+                            DEVICE_SCOM_ADDRESS(i_scomAddress));
+
+        if (nullptr != l_errl)
+        {
+            errlCommit(l_errl, SECURE_COMP_ID);
+            // This assert is needed because the deviceRead returns an
+            // informational error log so the system would otherwise not be
+            // halted.
+            assert(false,"SECUREBOOT::Settings::readSecurityRegister() Unable"
+                        " to read security register");
+        }
+        assert(size == sizeof(l_regValue),
+            "size returned from device read is not the expected size of %i",
+                                                           sizeof(l_regValue));
+
+        return l_regValue;
     }
+
 }
diff --git a/src/usr/secureboot/base/test/secureromtest.H b/src/usr/secureboot/base/test/secureromtest.H
index d324de8cc..805b5bc2b 100644
--- a/src/usr/secureboot/base/test/secureromtest.H
+++ b/src/usr/secureboot/base/test/secureromtest.H
@@ -37,12 +37,15 @@
 
 #include "../securerom.H"
 
-extern trace_desc_t* g_trac_secure;
+#include "../../common/securetrace.H"
 
 // Quick change for unit testing
 //#define TRACUCOMP(args...)  TRACFCOMP(args)
 #define TRACUCOMP(args...)
 
+// simply the syntax of accessing g_trac_secure
+using namespace SECUREBOOT;
+
 /**********************************************************************/
 /*  UTILITY FUNCTIONS                                                 */
 /*  -- note: these functions do not commit error logs                 */